On the Active Directory Domain Services page, review the information, and then click Next.

On the Confirm installation selections page, click Install. The Feature installation progress bar on the Results page indicates that the role is being installed.

On the Results page, verify that the installation succeeded, and click Close. In Server Manager, click the warning icon with an exclamation mark on top right corner of the screen, next to Manage. In the Tasks list, click the Promote this server to a domain controller link.

On the Deployment Configuration page, click Add a new forest, type the name of the root domain, contoso.com, and then click Next.

On the Domain Controller Options page, select the domain and forest functional levels as Windows Server 2012, specify the DSRM password pass@word1, and then click Next.

On the DNS Options page, click Next.

On the Additional Options page, click Next.

On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder (or accept default locations), and then click Next.

On the Review Options page, confirm your selections, and then click Next.

On the Prerequisites Check page, confirm that the prerequisites validation is completed, and then click Install.

On the Results page, verify that the server was successfully configured as a domain controller, and then click Close.

You should install the Microsoft Office Filter Packs on Windows Server 2012 to enable IFilters for a wider array of Office files than are provided by default. Windows Server 2012 does not have any IFilters for Microsoft Office Files installed by default, and the file classification infrastructure uses IFilters to perform content analysis.

When you create quotas and file screens, you have the option of sending email notifications to users when their quota limit is approaching or after they have attempted to save files that have been blocked. If you want to routinely notify certain administrators of quota and file screening events, you can configure one or more default recipients. To send these notifications, you must specify the SMTP server to be used for forwarding the email messages.

On the E-mail Notifications tab, under SMTP server name or IP address, type the host name or the IP address of the SMTP server that will forward email notifications.

If you want to routinely notify certain administrators of quota or file screening events, under Default administrator recipients, type each email address such as fileadmin@contoso.com. Use the format account@domain, and use semicolons to separate multiple accounts.

Create a new NTFS volume on FILE1 and then create the following folder: D:\Finance Documents.

Create the following files with the details specified:

Finance Memo.docx: Add some finance related text in the document. For example, “The business rules about who can access finance documents have changed. Finance documents are now only accessed by members of the FinanceExpert group. No other departments or groups have access.” You need to evaluate the impact of this change before implementing it in the environment. Ensure that this document has CONTOSO CONFIDENTIAL as the footer on every page.

Request for Approval to Hire.docx: Create a form in this document that collects applicant information. You must have the following fields in the document: Applicant Name, Social Security number, Job Title, Proposed Salary, Starting Date, Supervisor name, Department. Add an additional section in the document that has a form for Supervisor Signature, Approved Salary, Conformation of Offer, and Status of Offer. Make the document rights-management enabled.

Word Document1.docx: Add some test content to this document.

Word Document2.docx: Add test content to this document.

Workbook1.xlsx

Workbook2.xlsx

Create a folder on the desktop called Regular Expressions. Create a text document under the folder called RegEx-SSN. Type the following content in the file, and then save and close the file: ^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$

Share the folder D:\Finance Documents as Finance Documents and allow everyone to have Read and Write access to the share.

Note

Central access policies are not enabled by default on the system or boot volume C:.

Sign in to the FILE1 as CONTOSO\Administrator or as a member of the Domain Admins group.

Important

In order to install the AD RMS server role the installer account (in this case, CONTOSO\Administrator) will have to be given membership in both the local Administrators group on the server computer where AD RMS is to be installed as well as membership in the Enterprise Admins group in Active Directory.

In Server Manager, click Add Roles and Features. The Add Roles and Features Wizard appears.

On the Before you Begin screen, click Next.

On the Select Installation Type screen, click Role/Feature Based Install, and then click Next.

On the Select Server Targets screen, click Next.

On the Select Server Roles screen, select the box next to Active Directory Rights Management Services, and then click Next.

In the Add features that are required for Active Directory Rights Management Services? dialog box, click Add Features.

After the installation has completed, on the Installation Progress screen, click Perform additional configuration. The AD RMS Configuration Wizard appears.

On the AD RMS screen, click Next.

On the AD RMS Cluster screen, select Create a new AD RMS root cluster and then click Next.

On the Configuration Database screen, click Use Windows Internal Database on this server, and then click Next.

Note

Using the Windows Internal Database is recommended for test environments only because it does not support more than one server in the AD RMS cluster. Production deployments should use a separate database server.

On the Service Account screen, in Domain User Account, click Specify and then specify the user name (contoso\rms), and Password (pass@word1) and click OK, and then click Next.

On the Cryptographic Mode screen, click Cryptographic Mode 2.

On the Cluster Key Storage screen, click Next.

On the Cluster Key Password screen, in the Password and Confirm password boxes, type pass@word1, and then click Next.

On the Cluster Web Site screen, make sure that Default Web Site is selected, and then click Next.

On the Cluster Address screen, select the Use an unencrypted connection option, in the Fully Qualified Domain Name box, type FILE1.contoso.com, and then click Next.

On the Licensor Certificate Name screen, accept the default name (FILE1) in the text box and click Next.

On the SCP Registration screen, select Register SCP now, and then click Next.

On the Confirmation screen, click Install.

On the Results screen, click Close, and then click Close on Installation Progress screen. When complete, log off and log on as contoso\rms using the password provided (pass@word1).

Launch the AD RMS console and navigate to Rights Policy Templates.

To open the AD RMS console, in Server Manager, click Local Server in the console tree, then click Tools, and then click Active Directory Rights Management Services.

Click the Create Distributed Rights Policy template located on the right panel, click Add, and select the following information:

In order to install the AD RMS server role the installer account (in this case, CONTOSO\Administrator) will have to be given membership in both the local Administrators group on the server computer where AD RMS is to be installed as well as membership in the Enterprise Admins group in Active Directory.

On the Server desktop, right-click the Windows PowerShell icon on the taskbar and select Run as Administrator to open a Windows PowerShell prompt with administrative privileges.

To use Server Manager cmdlets to install the AD RMS server role, type:

Type "Y" when the cmdlet prompts you to confirm you want to start the installation.

Log out as CONTOSO\Administrator and log on as CONTOSO\RMS using the provided password ("pass@word1").

Important

In order to manage the AD RMS server the account you are logged on to and using to manage the server (in this case, CONTOSO\RMS) will have to be given membership in both the local Administrators group on the AD RMS server computer as well as membership in the Enterprise Admins group in Active Directory.

On the Server desktop, right-click the Windows PowerShell icon on the taskbar and select Run as Administrator to open a Windows PowerShell prompt with administrative privileges.

Create the Windows PowerShell drive to represent the AD RMS server you are configuring.

For example, to create a Windows PowerShell drive named RC to configure the AD RMS root cluster, type:

Joining virtual machines to a domain and deploying claim types across forests require that the virtual machines be able to resolve the FQDNs of the relevant domains. You may have to manually configure the DNS settings on the virtual machines to accomplish this. For more information, see Configuring a virtual network.

All the virtual machine images (servers and clients) must be reconfigured to use a static IP version 4 (IPv4) address and Domain Name System (DNS) client settings. For more information, see Configure a DNS Client for Static IP Address.

Connect the virtual machine to the ID_AD_Network. Sign in to the DC2 as Administrator with the password Pass@word1.

In Server Manager, click Manage, and then click Add Roles and Features.

On the Before you begin page, click Next.

On the Select Installation Type page, click Role-based or Feature-based Install, and then click Next.

On the Select destination server page, click Select a server from the server pool, click the names of the server where you want to install Active Directory Domain Services (AD DS), and then click Next.

On the Confirmation page, click Install. The Feature installation progress bar on the Results page indicates that the role is being installed.

On the Results page, verify that the installation succeeded, and then click the warning icon with an exclamation mark on top right corner of the screen, next to Manage. In the Tasks list, click the Promote this server to a domain controller link.

Important

If you close the installation wizard at this point rather than click Promote this server to a domain controller, you can continue the AD DS installation by clicking Tasks in Server Manager.

On the Deployment Configuration page, click Add a new forest, type the name of the root domain, adatum.com, and then click Next.

On the Domain Controller Options page, select the domain and forest functional levels as Windows Server 2012, specify the DSRM password pass@word1, and then click Next.

On the DNS Options page, click Next.

On the Additional Options page, click Next.

On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder (or accept default locations), and then click Next.

On the Review Options page, confirm your selections, and then click Next.

On the Prerequisites Check page, confirm that the prerequisites validation is completed, and then click Install.

On the Results page, verify that the server was successfully configured as a domain controller, and then click Close.

In the left pane of Active Directory Administrative Center, click Tree View. In the left pane, click Dynamic Access Control, and then double-click Resource Properties.

Select Company from the Resource Properties list, right-click and select Properties. In the Suggested Values section, click Add to add the suggested values: Contoso and Adatum, and then click OK twice.

Select Company from the Resource Properties list, right-click and select Enable.

In the Permissions section, select the Use following permissions as current permissions option, click Edit, and then click Add. Click the Select a principal link, type Authenticated Users, and then click OK.

In the Permission Entry for Permissions dialog box, click Add a condition, and enter the following conditions: [User] [Company] [Equals] [Value] [Adatum]. Permissions should be Modify, Read and Execute, Read, Write.

Click OK.

Click OK three times to finish and return to Active Directory Administrative Center.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

On the Start screen, type Administrative Tools, and in the Search bar, click Settings. In the Settings results, click Administrative Tools. Open the Group Policy Management Console from the Administrative Tools folder.

Tip

If the Show Administrative tools setting is disabled, the Administrative Tools folder and its contents will not appear in the Settings results.

Right-click the contoso.com domain, click Create a GPO in this domain and Link it here…

Type a descriptive name for the GPO, such as AdatumAccessGPO, and then click OK.

In Hyper-V Manager, connect to server FILE1. Sign in to the server by using Contoso\Administrator, with the password pass@word1.

Open an elevated command prompt and type: gpupdate /force. This will ensure that your Group Policy changes will take effect on your server.

You also need to refresh the Global Resource Properties from Active Directory. Open Windows PowerShell, type Update-FSRMClassificationpropertyDefinition, and then press ENTER. Close Windows PowerShell.

Open Windows Explorer, and navigate to D:\EARNINGS. Right-click the Earnings folder, and click Properties.

Click the Classification tab. Select Company, and then select Adatum in the Value field.

Click Change, select Adatum Only Access Policy from the drop-down menu, and then click Apply.

Click the Security tab, click Advanced, and then click the Central Policy tab. You should see the AdatumEmployeeAccessRule listed. You can expand the item to view all of the permissions that you set when you created the rule in Active Directory.